Sympa
Presentation
Sympa is a mailing list manager. See http://www.sympa.org for more informations. There are two ways to configure SSO with Sympa:- Sympa provides a magic authentication mecanism, which display a special button on the interface. When the user click on it, if he has already an SSO session, he is directly authenticated.
- LemonLDAP::NG has also a Sympa auto-login feature (since 0.9.4) so users are automatically authenticated into Sympa.
Magic authentication
Sympa configuration
Edit the file "auth.conf", for example:
# vi /etc/sympa/auth.conf
And fill it (replace all "example" elements):
generic_sso
service_name LemonLDAP::NG
service_id lemonldapng
email_http_header HTTP_MAIL
netid_http_header HTTP_AUTH_USER
internal_email_by_netid 1
logout_url http://sympa.example.com/wws/logout
- Additional authentication schemes can be set but they will be ignored with Lemonldap::NG auto-login feature
Apache configuration
We recommend to create a virtualhost for Sympa(eg. http://sympa.example.com). Then configure this virtualhost in your existing Apache configuration:# The following lines must be set once for all virtualhosts NameVirtualHost *
PerlRequire /var/lib/lemonldap-ng/handler/MyHandler.pm PerlOptions +GlobalRequest <Files ~ ".(pl)$"> SetHandler perl-script PerlHandler ModPerl::Registry PerlSendHeader On </Files>
# Define here all protected virtualhosts <VirtualHost *> ServerName sympa.example.com
# WebSSO protection :
# * with auto-login PerlHeaderParserHandler Handler
# * without auto-login #<Location /wws/sso_login/lemonldapng> # PerlHeaderParserHandler Handler #</Location> #
# Optional : reload mechanism (see doc for more) <Location /reload> PerlHeaderParserHandler Handler->reload </Location>
# Sympa normal configuration (example) RedirectMatch ^/$ /wws Alias /wwsicons /usr/share/sympa/icons ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa.fcgi
# Logging LogLevel warn ErrorLog /var/log/apache2/sympa-error.log CustomLog /var/log/apache2/sympa-access.log combined </VirtualHost>
LemonLDAP::NG configuration
Go to the manager and create a new virtual host:sympa.example.com
Then create the access rule. Example:
default => accept
And set the correct HTTP headers:
Auth-User => $uid mail => $mail
Sympa auto-login
Note : this configuration enforces your sympa security, as the sympa auth cookie is neither visible nor editable by users.Configure Sympa virtual host in Apache
You will configure Sympa vhost like other protected vhost but you will use Sympa handler instead of default handler.<VirtualHost *> ServerName sympa.example.com
# Load Sympa Handler PerlRequire __HANDLERDIR__/MyHandlerSympa.pm PerlHeaderParserHandler My::Sympa
</VirtualHost>
Configure Sympa Handler parameters
Go in Manager, Default parameters > Advanced parameters > Special handlers > Sympa, and edit the different keys:- Shared key: correspond to the cookie parameter of sympa.conf
- Mail session key: session field where to find user mail (by default: mail)
For older release (0.9.4)
The above method does not work for LemonLDAP::NG < 1.0. Follow these steps instead:- edit the file /var/lib/lemonldap-ng/handler/MyHandler.pm and replace "SharedConf" by "SympaAutoLogin"
- store the Sympa secret in /etc/lemonldap-ng/sympa.secret (parameter "cookie" from sympa.conf)
- change the rights of /etc/lemonldap-ng/sympa.secret to 600 (can be owned by root because it's read at Apache startup only)
- restart Apache